DLP and endpoint security

Well, we're well into summer and we've had a short break during our two-month combo edition for June and July so let's get back to it with one of our more active groups: data leak prevention (DLP) and endpoint security. We combined the two this year because, in the spirit of convergence, we are seeing the two groups come together as endpoint starts to include DLP more and more. You'll see a bit of that in this month's products.

DLP is a key issue now because it is pretty much a given that our networks have been penetrated. The challenge now is to keep the bad guys from exfiltrating our data. The exception, of course, is ransomware and you can get a feeling for that problem in my blog from time to time. Ransomware is where a really good endpoint protection tool can cover for you.

There are several state actors that specialize in exfiltrating data. For example, just one IP in our honeynet gets hit around 45,000 times a day from one particular state actor. If we extrapolate that to an enterprise that has more than a single IP exposed to the internet – a web server, DNS server, etc. – we can expect at least as much activity. In our case, we have done nothing to invite the bad guys in. The domain is not registered to us – or, it appears not to be – and the target has only an IP address and no DNS entry. It took a while for this actor to find us – probably a couple of days or so – but find me it did and now we see scans, probes and outright attacks from several hundred source IPs in the actor's IP blocks.

That suggests that we need to take action both at the perimeter and at the endpoint. DLP belongs in both places, but this month we focus on the endpoint. The products were interesting and there were several. So there is a lot to look at. What we found interesting, particularly, was that even though we had two groups combined, it was not uncommon to have products with the characteristics of both. So – alluding to our earlier comment – this is a harbinger of convergence. It certainly will be interesting to see what next year brings.

Often, when we have two groups combined into a single one, we give two Recommended Product designations. Because these two are so close – and getting closer – we won't do that this month. There are several things that we looked for, including whether or not the product was SaaS, on-premises or a combination. We really paid close attention to ease of deployment and, as you might imagine, we saw the gamut – from everything in and set up in under 15 minutes to calls to support for help because things did not work the way the quick-start guides told us it should.

We believe strongly that these tools should have some important features in common: ease of setup, deployment and management, transparency to the endpoint user, and the difficulty of the endpoint user disabling it. To that we add flexibility in specifying DLP policies for products that include DLP functionality.

This was the last month that we used our physical test bed. We are retiring the six computers dedicated to that and moving our entire test environment to the virtual. We expect that will make us more flexible. Of course, for physical appliances – such as those we see for UTM and SIEM groups – we still have our umbilical cords ready to connect, but now, instead of interconnecting with the physical servers, they will talk to the virtual environment.

SC Media arms cybersecurity professionals with the in-depth, unbiased business and technical information they need to tackle the countless security challenges they face and establish risk management and compliance postures that underpin overall business strategies.